{ "id": "e62729a7-4388-481d-a2db-05e002feb78b", "created_at": "2026-04-06T00:12:31.337039Z", "updated_at": "2026-04-10T13:11:20.197455Z", "deleted_at": null, "sha1_hash": "6701ddc5a2f66214589757e55b196d77daa199c4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49601, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:02:21 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MOPSLED\r\n Tool: MOPSLED\r\nNames MOPSLED\r\nCategory Malware\r\nType Reconnaissance, Backdoor\r\nDescription\r\n(Mandiant) MOPSLED is a shellcode-based modular backdoor that has the capability to\r\ncommunicate over HTTP or a custom binary protocol over TCP to its C2 server. The core\r\nfunctionality of MOPSLED involves expanding its capabilities by retrieving plugins from the\r\nC2 server. MOPSLED also uses a custom ChaCha20 encryption algorithm to decrypt\r\nembedded and external configuration files.\r\nMandiant observed sharing of MOPSLED between other Chinese cyber espionage groups\r\nincluding APT41. Mandiant considered MOPSLED to be an evolution of CrossWalk, which\r\ncan act as a network proxy.\r\nInformation\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations\u003e\r\nLast change to this tool card: 26 August 2024\r\nDownload this tool card in JSON format\r\nAll groups using tool MOPSLED\r\nChanged Name Country Observed\r\nAPT groups\r\n  UNC3886 2021-Early 2025  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50d20909-9e12-4a46-8305-7af8ae4ae861\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50d20909-9e12-4a46-8305-7af8ae4ae861\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50d20909-9e12-4a46-8305-7af8ae4ae861\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=50d20909-9e12-4a46-8305-7af8ae4ae861" ], "report_names": [ "listgroups.cgi?u=50d20909-9e12-4a46-8305-7af8ae4ae861" ], "threat_actors": [ { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434351, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6701ddc5a2f66214589757e55b196d77daa199c4.pdf", "text": "https://archive.orkl.eu/6701ddc5a2f66214589757e55b196d77daa199c4.txt", "img": "https://archive.orkl.eu/6701ddc5a2f66214589757e55b196d77daa199c4.jpg" } }